sec: Fix prototype pollution in webaccess module

ether · Aug 18, 2024 · 852f282 · 852f282
1 parent 4ff00e2
commit 852f282
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/src/node/hooks/express/webaccess.ts b/src/node/hooks/express/webaccess.ts
@@ -177,6 +177,10 @@ const checkAccess = async (req:any, res:any, next: Function) => {
       res.status(401).send('Authentication Required');
       return;
     }
+    if (ctx.username === '__proto__' || ctx.username === 'constructor' || ctx.username === 'prototype') {
+      res.end(403);
+      return;
+    }
     settings.users[ctx.username].username = ctx.username;
     // Make a shallow copy so that the password property can be deleted (to prevent it from
     // appearing in logs or in the database) without breaking future authentication attempts.